| Info |
|---|
This article is valid for Smart ID Identity Manager 24.R1 or later. |
...
use-case: Encryption and decryption of fields in the Identity Manager database
required: always
configured in these applications:
Identity Manager Admin (previously know as PRIME Designer)
Identity Manager Operator (previously known as PRIME Explorer)
configured in these special-case tools:
batch_secretfieldstore_change_encryption_key
(repair tool for secret fields)
batch_migration_smartact_to_prime
(for migration of data from Identity Manager's/PRIME's predecessor SmartAct, it has additional requirements for decrypting secret fields and config entries from the source system)
storage: pkcs12, HSM (recommended)
versioning: not supported, always uses version 1
supported asymClipher values:
for HSM
RSA/ECB/OAEPWithSHA-384AndMGF1PaddingRSA/ECB/OAEPWithSHA-512AndMGF1Padding
for PKCS#12
RSA/None/OAEPWithSHA384AndMGF1PaddingRSA/None/OAEPWithSHA512AndMGF1Padding
general requirements:
placeholder keys/certs forbidden for productive use
confidentiality of database secrets would be at risk
the key can only be changed with the tool batch_secretfieldstore_change_encryption_key once the first secret is stored in the database
key requirements:
supported types:
RSA 2048
RSA 3072
RSA 4096 (recommended)
certificate requirements:
no special requirements, as only the key-pair is used
may be self-signed
key usage is not checked (recommended for informational purposes: set dataEncipherment)
validity is ignored
certificate does not need to be trusted
...
use-case: Encryption of the configuration files
required: always
configured in these applications
Identity Manager Admin / (earlier know as PRIME Designer)
Identity Manager Operator / (earlier known as PRIME Explorer)
storage: pkcs12, HSM (recommended)
versioning: not supported, always uses version 1
supported asymClipher values:
for HSM
RSA/ECB/OAEPWithSHA-384AndMGF1PaddingRSA/ECB/OAEPWithSHA-512AndMGF1Padding
for PKCS#12
RSA/None/OAEPWithSHA384AndMGF1PaddingRSA/None/OAEPWithSHA512AndMGF1Padding
NOTE: but you cannot reconfigure the asymCipher after exporting an encrypted ZIP, as config import of such a ZIP will fail
general requirements:
placeholder allowed only if config ZIP encryption is disabled
after changing the key you cannot decrypt previously exported config ZIPs that use encryption
key requirements:
supported types:
RSA 2048
RSA 3072
RSA 4096 (recommended)
certificate requirements:
no special requirements, as only the key-pair is used
may be self-signed
key usage is not checked (recommended for informational purposes: set dataEncipherment + keyEncipherment)
validity is ignored
certificate does not need to be trusted
...
use-case: authenticate to the IN Groupe Inside Server, which performs certain cryptographic operations on behalf of IDM when using the Idopte middleware (see Encoding using Idopte middleware in Identity Manager)
configured in this application:
Identity Manager Operator
general requirements:
descriptor can be omitted entirely (not even a placeholder needed) if Idopte middleware is not used, otherwise correct certificate and keypair is required
PKI card encoding via the Idopte middleware will fail if missing or configured incorrectly
algorithm attribute not used
(we only use certificate and private key from the descriptor)
versioning: not needed
storage: pkcs12
key requirements:
supported types:
RSA 2048
RSA 3072
RSA 4096 (recommended)
certificate requirements:
validity DOES matter, connection to Inside server will fail when expired
unsure if self-signed certs would work (recommend to use CA) Maybe remove “unsure“ from public documentation
must be trusted by Inside server
key usage: digitalSignature
...